In the Incident Response Process, containment is the step where the identified threat is controlled to prevent any further damage to the system and organization, while maintaining the integrity of the collected incident data. The primary goal of containment is to limit the attackās scope and prevent any further compromises.
There are two main types of containment measures that need to be applied depending on the nature of the incident: short-term and long-term containment.
These measures are focused on stopping the immediate threat by disconnecting affected systems, blocking harmful IP addresses, or temporarily disabling the vulnerable service. However, these steps might result in the loss of valuable incident data, so it is essential to balance these actions against preserving evidence necessary for further investigation.
Long-term containment focuses on implementing more sustainable solutions to address the root cause of the incident, such as updating security patches, configuring firewalls, and implementing access control measures. These actions are taken to prevent reoccurrence and must be performed in parallel with the recovery phase to ensure a comprehensive Incident Response Process.
The following are some key steps that you should follow during the containment phase:
By properly executing the containment phase of the Incident Response Process, you will be well-prepared to eradicate the root cause of the cyber security threat and recover your affected systems with minimal damage to your organization.